Has anyone found a workaround to deny user to pull images from Google container registry with just Viewer role??? Iam policy constrain doesn't support Storage bucket deny yet. Wondering how to resolve this issue, while allow a user viewer role to view GCP resources.
2 Answers
0
votes
Members of the "viewer" group have permission to read objects in the artifacts bucket because they are readers in the legacy ACL for the bucket (and all new buckets, by default). So you have to fix it by changing the legacy ACL, rather than the IAM ACL:
- Go to https://console.cloud.google.com/storage/browser?project=your-project-123
- Edit bucket permissions on the artifacts bucket(s)
- Remove "Viewers of project: your-project-123" from "Storage Legacy Bucket Reader"
In the future perhaps this will become an IAM controlled feature (in which case a IAM custom role would be the solution).
0
votes
Another solution would be to create a custom role. In that Custom Role, you could add all the permissions included in a Viewer role, and at the same time deny access to the Bucket by not granting the specific Bucket permissions.
